SlideShare a Scribd company logo

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting

R
Romansh Yadav

The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks. Course Content: Android Introduction & Basics Setting up the Pen testing environment Reverse engineering & runtime manipulation Application dynamic runtime analysis Application Components and security issues Data and Network interception – manipulation and analysis Defensive Tools & Techniques for Android application

Mobile
1 of 55
Download to read offline
Android App Pentesting Null Dubai 2020 Romansh Yadav
Content Android Introduction & Basics Setting up the Android Pen testing environment lab Reverse engineering & runtime manipulation Application Components and security issues Data and Network interception – manipulation and analysis Defensive Tools & Techniques for Android
Android Introduction & Basics
Android system Architecture ➢ Application ➢ Application Framework ➢ Libraries ➢ Android runtime ➢ Linux kernel
Android File System  Android uses the Linux file system structure which has a single root.  Etc  Sdcard  Sdcard-ext
Android - Permission model & sandboxing • Android assigns a unique user ID (UID) to each Android application and runs it in its own process. • Android uses the UID to set up a kernel-level Application Sandbox • On Android, each app runs as its own “user”, as far as the kernel is concerned (UID), and the kernel guarantees that different “users” are unable to interfere with each other, access each other’s files.
Android - Permission model & sandboxing
Android Application Fundamentals Android apps are written in the Java programming language. The Android SDK tools compile your code—along with any data and resource files—into an APK: an Android package, which is an archive file with an .apk suffix. One APK file contains all the contents of an Android app and is the file that Android-powered devices use to install the app.
Java code into apk  Java code  Javac complier  .class file(byte code)  Dx complier  Classes.dex code or we can say dalvik executable code  Then .apk
Android Components  Content Provider  Activity  Services  Broadcast Receiver  intents  Intents bind individual components to each other at runtime (you can think of them as the messengers that request an action from other components),whether the component belongs to your app or to other.
Setting up the Pen testing environment
Setting the Android Emulator & other required settings.  Download santaku VM  Download appie for windows os  Download Genymotion  Deployed a Andorid custom 6.0 OS image into Genymotion  Start android OS from the Genymotion  Both vm shouldbe same network  Ping android OS ip from the santaku OS
Penetration Testing Approach Static Penetration testing  Code in rest, app is not running  Decompile apk  Analysing the source code Dynamic penetration testing  App is running  Bypassing restrictionby hooking the app  Analysing the application using burp suite  Runtime manipulation
Reverse engineering & runtime manipulation
Tampering and Reverse Engineering  Reverseengineering a mobile app is the process of analyzing the compiled app to extract informationabout its source code. The goal of reverse engineering is comprehending the code.  Tampering is the process of changing a mobileapp (either the compiled app or the running process) or its environment to affect its behavior. For example,an app might refuse to run on your rooted test device,making it impossible to run some of your tests. In such cases, you'll want to alter the app's behavior.
Apk De-compilation  There are many tools to De-compilationa apk  Let's try frist method  Apktool d name.apk  You will get a folder with smalli code  Try to explore all these folder
Apk De-compilation  D2j-dex2jar name.apk  Jd gui filename.jar  Try to understand the code
Apk De-compilation  Apk file a archive file  Unzip name.apk  .class file  D2j-dex2jar .class file  You will get the class.jar file
Android manifest file  Central fie  Permission  Exported services
Reading the class files  Let's try to explore every file we are got after Apk de-compilation  Go to each and evey folder  See all filename also  Try to find hard coded information  Search about the username, password,  Search about the algortitham md5,sh1, sha256,
Hands on – Very Basic Bypass Application Restrictions  Postlogin.smali  Search method showroot status  Search keyword like device not rooted  Device rooted  Try to read it
Hands on - Bypass Application Restrictions  Add a line  Goto: cond_2
Hands on - Recompile and Resign the APK  Apk b foldername  java -jar sign.jar InsecureBankv2.apk  adb install filename.apk  Run the application  You will finddevice not rooted.
Hands on –Authorization bypass using code Tampering  Apktool d insecurebankv2.apk  InsecureBankv2/res/values  String.xml  Modify the value of “is_admin” from “no” to “yes”  Apktool b insecurebankv2  Sign the apk  Install the apk  You will see a new button create user
Frida  As per frida website:  “ It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamiccode instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux,iOS, Android, and QNX.  Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.”
Frida  We need to install some python packages for frida server.  For this enter following commandin terminal:  python -m pip install Frida python -m pip install objection python -m pip install frida-tools  Or  pip install Frida pip install objection pip install frida-tools
Frida-server  We need to download the frida server package for our android device according to our device’s arch version.  https://github.com/frida/frida/releases/  To find out the arch version of the device, run following command.  adb shell getprop ro.product.cpu.abi  To cut short download following if deviceconfiguration is the same as mentionedabove:  frida-server-12.4.7-android-x86.xz frida-server-12.4.7-android-x86_64.xz
Hands on - Runtime manipulation  Runtime manipulationwith frida  Bypass the root detection using frida  adb push frida-server-file /data/local/tmp  adb shell chmod777 /data/local/tmp/frida-server  adb shell /data/local/tmp/frida-server &  frida-ps –aU  frida -U –f package-name -l script.js --no-paus
Application Components and security issues
Finding hard coded credentials  D2j-dex2jar insecurebankv2.apk  Jdgui jarfile.jar  Search like username  Search like password  Devadmin usernamefound  Also called developer backdoor
Insecure data storage  insecurestorage of data. Many developers assume that storing data on client-side will restrict other users from having access to this data  Shared folder  External storage like sdcard  Sqlite3 data base
Drozer  one of the essential tool in Android Application Security Assessment.  Drozer is already installedin the Appie, if you using it then no need of installation and setup procedure.  By default the server is listening on Port Number 31415 so in order to forward all commands of drozer client to drozer server we will use Android Debug Bridge[ADB] to forward the connections.  Type adb forward tcp:31415 tcp:31415 in the console.  Type drozer console connect and it will spilt the screen and open the drozer in the other part.
Invoking Activities using drozer  Now you can just type on list in the drozer console and it will list all the modules which came pre-installed with Drozer .  run app.package.attacksurface <<package name>>  Attacking on Activities via Launching Activities:  Activities list from a package run app.activity.info -a <<package_name>>  To launch any selected activity run app.activity.start –component <<package_name>> <<activity_name>>
Invoking Activities using Activity manager  am start -n com.android.insecurebankv2/.PostLogin
Analyzing logs using logcat  Analysing logs using logcat  Logcat  Pidcat
Weak hashing algoritham  filemySharedPreferences.xml.  Username and the password was stored in encrypted format in the file.  Value of the “superSecurePassword”  Check the file cryptoclass.classs in jdgui  AES/CBC/PKCS5PADDING
Exploiting content provider using drozer  run app.package.attacksur face <<package name>>  Finding the uri  Run app.provider.finduri <<pack age name>>  Run app.provider.query uriname
Hands on - Using broadcast receivers  am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastR eceiver --es phonenumber 971867 –es newpass heythere <do it yourself with frida at home>  Run app.broadcast.info --package <packagename>  Run app.broadcast.send -- <<<do it your self>>>
Exploiting misconfiguration Android back up  ./adb backup –apk –shared com.android.insecurebankv2  When prompted on the emulator, click on the “Back Up my Data” option.  .ab file  Convert file into readble format  cat backup.ab | (dd bs=24 count=0 skip=1; cat) | zlib-flate -uncompress > backupdata.tar
Web view vulnerability  WebViews are used in android applications to load content and HTML pages within the application. Due to this functionality the implementation of WebView it must be secure in order not to introduce the application to great risk  Xss at webview  Accesing local files
Mobsf  "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. " --- by github page  docker pull opensecurity/mobile-security-framework-mobsf  docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security- framework-mobsf:latest 
Data and Network interception – manipulation and analysis
Hands on - Importing SSL certificates & trusted CA's  Burp suite certification import
Traffic interception (Active & Passive )  Active traffic interception using burp  Passive traffic interception using wireshark, tshark
Proxies and sniffers  Wireshark and tcp dump  Burp suite
Hands on - Intercepting application traffic  Hand on practical  IDOR attack  Api vulnerability
Defensive Tools & Techniques for Android
Code Obfuscation Techniques  Obfuscation helps protecting your application against reverse engineering.  Android ProGuard tool to obfuscate, shrink, and optimize your code.  ProGuard renames classes,fields,and methods with semantically obscure names and removes unused code  Let's obfuscate an app and see how Proguard works
Owasp advanced Mobile application code review techniques ▪ Source code review ▪ https://www.owasp.org/images/5/53/OWASP_Code_Review_Guide_v2.pdf
Insecure Network connections ▪ Protect the data while in transit ▪ Most commonly used protocol is HTTP or HTTPS – ▪ HTTPS should be used ▪ Never use setAllowsAnyHTTPSCertificate:forHost: ▪ Fail safe on SSL error - Implement the connection:didFailWithError: delegate ▪ Not to redirect to http
Benefits of Mobile Application Code Reviews Detect injection flawsDetect Detect backdoors or suspicious codeDetect Detect hardcoded passwords and secret keysDetect Detect weak algorithm usage and hardcoded keysDetect Detect the data storage definitionsDetect
Reference  https://github.com/dineshshetty/Android-InsecureBankv2  https://appsecwiki.com/#/mobilesecurity  https://github.com/HTBridge/pivaa ▪ https://www.owasp.org/images/5/53/OWASP_Code_Review_Guide_v2.pdf
Q/A Sessions
Thank you

Recommended

Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
Romansh Yadav
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
Rich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 

Recommended

Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
Romansh Yadav
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
Rich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
Denis Zakharov
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web ServersInformation Technology
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless world
Yan Cui
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Android security by ravi-rai
Android security by ravi-raiAndroid security by ravi-rai
Android security by ravi-rai
Ravi Rai
 

More Related Content

What's hot

Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
Denis Zakharov
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless world
Yan Cui
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 

What's hot (20)

Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless world
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 

Similar to Null Dubai Humla_Romansh_Yadav_Android_app_pentesting

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Android security by ravi-rai
Android security by ravi-raiAndroid security by ravi-rai
Android security by ravi-rai
Ravi Rai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Nitesh Malviya
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
Jose Manuel Ortega Candel
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
Ofer Rivlin, CISSP
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Appium
AppiumAppium
Appium
Keshav Kashyap
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
Aadarsh N
 

Similar to Null Dubai Humla_Romansh_Yadav_Android_app_pentesting (20)

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android security by ravi-rai
Android security by ravi-raiAndroid security by ravi-rai
Android security by ravi-rai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Appium
AppiumAppium
Appium
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting

  • 1. Android App Pentesting Null Dubai 2020 Romansh Yadav
  • 2. Content Android Introduction & Basics Setting up the Android Pen testing environment lab Reverse engineering & runtime manipulation Application Components and security issues Data and Network interception – manipulation and analysis Defensive Tools & Techniques for Android
  • 4. Android system Architecture ➢ Application ➢ Application Framework ➢ Libraries ➢ Android runtime ➢ Linux kernel
  • 5.
  • 6. Android File System  Android uses the Linux file system structure which has a single root.  Etc  Sdcard  Sdcard-ext
  • 7. Android - Permission model & sandboxing • Android assigns a unique user ID (UID) to each Android application and runs it in its own process. • Android uses the UID to set up a kernel-level Application Sandbox • On Android, each app runs as its own “user”, as far as the kernel is concerned (UID), and the kernel guarantees that different “users” are unable to interfere with each other, access each other’s files.
  • 8. Android - Permission model & sandboxing
  • 9. Android Application Fundamentals Android apps are written in the Java programming language. The Android SDK tools compile your code—along with any data and resource files—into an APK: an Android package, which is an archive file with an .apk suffix. One APK file contains all the contents of an Android app and is the file that Android-powered devices use to install the app.
  • 10. Java code into apk  Java code  Javac complier  .class file(byte code)  Dx complier  Classes.dex code or we can say dalvik executable code  Then .apk
  • 11. Android Components  Content Provider  Activity  Services  Broadcast Receiver  intents  Intents bind individual components to each other at runtime (you can think of them as the messengers that request an action from other components),whether the component belongs to your app or to other.
  • 12. Setting up the Pen testing environment
  • 13. Setting the Android Emulator & other required settings.  Download santaku VM  Download appie for windows os  Download Genymotion  Deployed a Andorid custom 6.0 OS image into Genymotion  Start android OS from the Genymotion  Both vm shouldbe same network  Ping android OS ip from the santaku OS
  • 14. Penetration Testing Approach Static Penetration testing  Code in rest, app is not running  Decompile apk  Analysing the source code Dynamic penetration testing  App is running  Bypassing restrictionby hooking the app  Analysing the application using burp suite  Runtime manipulation
  • 16. Tampering and Reverse Engineering  Reverseengineering a mobile app is the process of analyzing the compiled app to extract informationabout its source code. The goal of reverse engineering is comprehending the code.  Tampering is the process of changing a mobileapp (either the compiled app or the running process) or its environment to affect its behavior. For example,an app might refuse to run on your rooted test device,making it impossible to run some of your tests. In such cases, you'll want to alter the app's behavior.
  • 17. Apk De-compilation  There are many tools to De-compilationa apk  Let's try frist method  Apktool d name.apk  You will get a folder with smalli code  Try to explore all these folder
  • 18. Apk De-compilation  D2j-dex2jar name.apk  Jd gui filename.jar  Try to understand the code
  • 19. Apk De-compilation  Apk file a archive file  Unzip name.apk  .class file  D2j-dex2jar .class file  You will get the class.jar file
  • 20. Android manifest file  Central fie  Permission  Exported services
  • 21. Reading the class files  Let's try to explore every file we are got after Apk de-compilation  Go to each and evey folder  See all filename also  Try to find hard coded information  Search about the username, password,  Search about the algortitham md5,sh1, sha256,
  • 22. Hands on – Very Basic Bypass Application Restrictions  Postlogin.smali  Search method showroot status  Search keyword like device not rooted  Device rooted  Try to read it
  • 23. Hands on - Bypass Application Restrictions  Add a line  Goto: cond_2
  • 24. Hands on - Recompile and Resign the APK  Apk b foldername  java -jar sign.jar InsecureBankv2.apk  adb install filename.apk  Run the application  You will finddevice not rooted.
  • 25. Hands on –Authorization bypass using code Tampering  Apktool d insecurebankv2.apk  InsecureBankv2/res/values  String.xml  Modify the value of “is_admin” from “no” to “yes”  Apktool b insecurebankv2  Sign the apk  Install the apk  You will see a new button create user
  • 26. Frida  As per frida website:  “ It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamiccode instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux,iOS, Android, and QNX.  Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.”
  • 27. Frida  We need to install some python packages for frida server.  For this enter following commandin terminal:  python -m pip install Frida python -m pip install objection python -m pip install frida-tools  Or  pip install Frida pip install objection pip install frida-tools
  • 28. Frida-server  We need to download the frida server package for our android device according to our device’s arch version.  https://github.com/frida/frida/releases/  To find out the arch version of the device, run following command.  adb shell getprop ro.product.cpu.abi  To cut short download following if deviceconfiguration is the same as mentionedabove:  frida-server-12.4.7-android-x86.xz frida-server-12.4.7-android-x86_64.xz
  • 29. Hands on - Runtime manipulation  Runtime manipulationwith frida  Bypass the root detection using frida  adb push frida-server-file /data/local/tmp  adb shell chmod777 /data/local/tmp/frida-server  adb shell /data/local/tmp/frida-server &  frida-ps –aU  frida -U –f package-name -l script.js --no-paus
  • 31. Finding hard coded credentials  D2j-dex2jar insecurebankv2.apk  Jdgui jarfile.jar  Search like username  Search like password  Devadmin usernamefound  Also called developer backdoor
  • 32. Insecure data storage  insecurestorage of data. Many developers assume that storing data on client-side will restrict other users from having access to this data  Shared folder  External storage like sdcard  Sqlite3 data base
  • 33. Drozer  one of the essential tool in Android Application Security Assessment.  Drozer is already installedin the Appie, if you using it then no need of installation and setup procedure.  By default the server is listening on Port Number 31415 so in order to forward all commands of drozer client to drozer server we will use Android Debug Bridge[ADB] to forward the connections.  Type adb forward tcp:31415 tcp:31415 in the console.  Type drozer console connect and it will spilt the screen and open the drozer in the other part.
  • 34. Invoking Activities using drozer  Now you can just type on list in the drozer console and it will list all the modules which came pre-installed with Drozer .  run app.package.attacksurface <<package name>>  Attacking on Activities via Launching Activities:  Activities list from a package run app.activity.info -a <<package_name>>  To launch any selected activity run app.activity.start –component <<package_name>> <<activity_name>>
  • 35. Invoking Activities using Activity manager  am start -n com.android.insecurebankv2/.PostLogin
  • 36. Analyzing logs using logcat  Analysing logs using logcat  Logcat  Pidcat
  • 37. Weak hashing algoritham  filemySharedPreferences.xml.  Username and the password was stored in encrypted format in the file.  Value of the “superSecurePassword”  Check the file cryptoclass.classs in jdgui  AES/CBC/PKCS5PADDING
  • 38. Exploiting content provider using drozer  run app.package.attacksur face <<package name>>  Finding the uri  Run app.provider.finduri <<pack age name>>  Run app.provider.query uriname
  • 39. Hands on - Using broadcast receivers  am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastR eceiver --es phonenumber 971867 –es newpass heythere <do it yourself with frida at home>  Run app.broadcast.info --package <packagename>  Run app.broadcast.send -- <<<do it your self>>>
  • 40. Exploiting misconfiguration Android back up  ./adb backup –apk –shared com.android.insecurebankv2  When prompted on the emulator, click on the “Back Up my Data” option.  .ab file  Convert file into readble format  cat backup.ab | (dd bs=24 count=0 skip=1; cat) | zlib-flate -uncompress > backupdata.tar
  • 41. Web view vulnerability  WebViews are used in android applications to load content and HTML pages within the application. Due to this functionality the implementation of WebView it must be secure in order not to introduce the application to great risk  Xss at webview  Accesing local files
  • 42. Mobsf  "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. " --- by github page  docker pull opensecurity/mobile-security-framework-mobsf  docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security- framework-mobsf:latest 
  • 43. Data and Network interception – manipulation and analysis
  • 44. Hands on - Importing SSL certificates & trusted CA's  Burp suite certification import
  • 45. Traffic interception (Active & Passive )  Active traffic interception using burp  Passive traffic interception using wireshark, tshark
  • 46. Proxies and sniffers  Wireshark and tcp dump  Burp suite
  • 47. Hands on - Intercepting application traffic  Hand on practical  IDOR attack  Api vulnerability
  • 49. Code Obfuscation Techniques  Obfuscation helps protecting your application against reverse engineering.  Android ProGuard tool to obfuscate, shrink, and optimize your code.  ProGuard renames classes,fields,and methods with semantically obscure names and removes unused code  Let's obfuscate an app and see how Proguard works
  • 50. Owasp advanced Mobile application code review techniques ▪ Source code review ▪ https://www.owasp.org/images/5/53/OWASP_Code_Review_Guide_v2.pdf
  • 51. Insecure Network connections ▪ Protect the data while in transit ▪ Most commonly used protocol is HTTP or HTTPS – ▪ HTTPS should be used ▪ Never use setAllowsAnyHTTPSCertificate:forHost: ▪ Fail safe on SSL error - Implement the connection:didFailWithError: delegate ▪ Not to redirect to http
  • 52. Benefits of Mobile Application Code Reviews Detect injection flawsDetect Detect backdoors or suspicious codeDetect Detect hardcoded passwords and secret keysDetect Detect weak algorithm usage and hardcoded keysDetect Detect the data storage definitionsDetect
  • 53. Reference  https://github.com/dineshshetty/Android-InsecureBankv2  https://appsecwiki.com/#/mobilesecurity  https://github.com/HTBridge/pivaa ▪ https://www.owasp.org/images/5/53/OWASP_Code_Review_Guide_v2.pdf